A few years ago most firms would manage cybersecurity and make investment decisions based mainly on industry best practices, resulting in their adopting certain technologies, policies and practices, without a detailed understanding of their specific overall cyber risk situation. As a result, very few successfully developed and deployed a strategic, comprehensive and effective cyber risk management framework. Lacking a clear articulation of how cyber risks integrate into organizational risk, many firms experienced a persistent under-funding of information security budgets.